22 March 2015

IT Security essentials for small and medium enterprises

Since I first published the free eBook "Improve your security" dedicated to end users, I've been asked many times to give advises for small and medium enterprises. At first, I thought that this is a very different topic than what I wrote before. However, after some thinking, I realized, that difference between the behavior of end-users at home and in the office of a small to medium companies, doesn't differ that much.

After all, it is no secret that the cyber criminals are where the money are. If the targets are easy to breach, it is even better since this improves the ratio effort/outcome for them. Usually, small to medium size companies are preferred targets because they fit in this category: they do have money, more than the private users, and are very easy to infiltrate. The tips below help these companies not only to survive in the cyber world, but also keep the attackers away.

1. Make the employees understand and care about security. Teach them how to act and react.

There are multiple aspects to the people problem: attitude and usability of security.

First, is that the common attitude in companies: „security is IT department's business“. IT tries to do their best, but there is no security solution that can fully protect you against what is happening in the wild. End users are easy targets; attackers are compromising their systems and gaining access to corporate networks and digital assets using techniques like:

Malvertising attacks which infect victims in the course of their normal Internet browsing, without even clicking on the advertisement

Spam and phishing emails incorporating social-engineering techniques so that they appear to be sent by well-known companies or other ‘trusted’ sources but contain links to malicious sites

Third-party applications that are malicious or good and bundled with malware and downloaded from popular online marketplaces. We have here all kind of marketplaces, targeting all possible platforms and devices:

While new technologies are created constantly, all security solutions are at least one step behind the threats out there, simply because there is no usable way to completely protect people against threats such as those mentioned above.

Second, people just want to have their jobs done. This is the reason why they see security as something that comes in their way and slows them down to have their job done.To have their job done faster, they are willing to stop or deactivate security programs (and infecting their computer), use different Internet connections that go around the company's defenses (and infecting their computer), take documents so that they can work at home (and lose them on the way), bring devices in the company (and infecting everyone else).

If companies invest more in making people understand what the risks and consequences are, they will see this problem differently. But this is a long topic which will be addressed in details in another article.

2. Install security software on all devices

Security software is not the solutions to all problems, as no software is able to 100% protect users against everything. But, in this case also 90% or more is better than nothing. The most attacked operating system is Windows, no question about that. But even if you are a Mac user, you should not think that you are safe. Also on Mac there is plenty of malicious software(especially trojans) and the amount of malware and exploitable vulnerabilities is increasing. With the increase of the attacks on mobile platforms and with the adoption of the browser as the new „operating system“, there are specific threats that apply to these platforms. As mentioned above, there are threats for smartphones and tablets running iOS and Android and malicious browser extensions everywhere. Fortunately, there are also plenty of security solutions to protect against these threats and the good news is that the majority of them are completely free. So, there is no excuse to let your device and browser unprotected.

3. Keep all programs up to date

Vulnerable programs are these days the most common place to attack victims and steal personal data. Mass media is doing a great job in disclosing any vulnerability found (sometimes even only assumed vulnerability) in the most used software around. All known cyber weapons like Uroburos, Stuxnet, Duqu and Flame have used known exploits in software. Also, major vulnerabilities in server software such as Poodle (in SSL) and Hearbleed (in OpenSSL) have been exploited and in these cases it is not even known how long they were used and how much private information has been stolen. The most vulnerable products are those that are considered system utilities, even though they are nothing else than commodities: Adobe Shockwave and Flash Player, Apple iTunes and QuickTime and Oracle Java. Yes, it is possible to live without them, but it is not always easy. The best thing is to deactivate them if you don't need them - especially Java but also Shockwave and Flash.

4. Filter the web traffic, block suspicious websites

Filtering means not only restricting access to various websites, but especially making sure that the traffic if cleaned up before it reaches the users. An important factor which shows the importance of web filtering is the fact that the websites that the users are visiting might be of a very good reputation and still infecting their visitors. This can happen by showing 3rd party advertisements which can exploit vulnerabilities in browsers or, most common, in Flash Player, Silverlight and other web technologies. Other attack vectors with websites as delivery mechanism are drive-by downloads and malicious javascript injection, iframes , phishing websites and, most dangerous, spear-phishing websites. The web filtering solution should ideally be installed on the gateway. If your company is too small for this, then install a security suite on each computer connected to the internet. Note that all computers should have a security solution installed (with a real-time scanner), but depending on their purpose, the coverage of the security solution can include a web filter, mail filter, firewall and so on.

5. Make backups the right way and keep them secure

There are only few things in life that we can be sure that they will happen: one of them is that hard drives fail. It is just a matter of time until a catastrophic hard drive failure happens. Drives have a mean time of good functioning and they are statistically known for each type of drive. So, better be prepared for this unpleasant event. The biggest mistake that many companies do is to keep backups on the same machine (on another hard drive) and in the same room/data center. This approach is definitely better than no backup at all, but it doesn't help in case of electric surges or spikes (the entire computer gets damaged, including all components inside), fire, flood or theft in the data center. The backups are to be stored always in another place than the data backedup. Always store the data encrypted because you never know who gets access to the drives or tapes in future. Using a cloud based backup service is another possibility to mitigate these risks. The most important thing to do before using such a service is to encrypt the data. Never forget that in the moment data is leaving the computer, it is no longer belonging to those who created it. It belongs to all those entities that are traversed between computer and storage server. This means that anyone can intercept the data in transit (even if it is transferred over SSL) and while it resides on storage. The biggest problem is that most online backup services do not easily support encrypting data on the client side (before upload). If you read in the SLA (Service Level Agreement) or EULA of the provider that they encrypt data, it means that they keep the data encrypted on storage. While this mitigates the situation when a hardware gets stolen from the datacenter of the company, it doesn't mitigate the risk when an insider (employee or hacker) gets access to the private key used by the company to encrypt the data on storage. The best thing is to send the data already encrypted to the online storage.

6. Protect and encrypt devices and storage

The biggest data leakages happen for two reasons:

– careless employee take with them confidential data on devices which they lose

– hackers obtain access to company's infrastructure.

While the second is a very complex topic to address, the first one has simple solutions. First of all, no confidential data and especially PII (Personally Identifiable Information) should leave the company. Even in the company, there should be defenses in place in order to not allow just anyone to access it. But, this is in theory. In real like, employees want to optimize things and take work at home. Yes, even if this contains sensitive data. Since this happens anyway, better be prepared for the inevitable: laptops, memory sticks and smartphones get lost or stolen. In these cases, the value of the device is not even comparable with the value of the data on it. In order to make it impossible to the one that gets the device to access the data, the storage or the data must be encrypted. The user-friendlies solution is to encrypt the entire storage with special software like Bitkeeper and alike.

Laptops should have ideally a power-on password and a user to login in the operating system. The BIOS of the computer should be password protected in order to prevent attackers to overwrite security measures and disable TPM chips. Here you can find tips how to create good passwords. Smartphones are nowadays powerful computers with quad-core processors and a lot of gigabytes of storage. Without password/PIN protection and the entire storage encrypted (internal and external micro SD cards) any attacker can obtain access to emails, VPN access and other interesting data available there.

Comments

IT Security essentials for small and medium enterprises

Since I first published the free eBook "Improve your security" dedicated to end users, I've been asked many times to give advises for small and medium enterprises. At first, I thought that this is a very different topic than what I wrote before. However, after some thinking, I realized, that difference between the behavior of end-users at home and in the office of a small to medium companies, doesn't differ that much.

After all, it is no secret that the cyber criminals are where the money are. If the targets are easy to breach, it is even better since this improves the ratio effort/outcome for them. Usually, small to medium size companies are preferred targets because they fit in this category: they do have money, more than the private users, and are very easy to infiltrate. The tips below help these companies not only to survive in the cyber world, but also keep the attackers away.

1. Make the employees understand and care about security. Teach them how to act and react.

There are multiple aspects to the people problem: attitude and usability of security.

First, is that the common attitude in companies: „security is IT department's business“. IT tries to do their best, but there is no security solution that can fully protect you against what is happening in the wild. End users are easy targets; attackers are compromising their systems and gaining access to corporate networks and digital assets using techniques like:

Malvertising attacks which infect victims in the course of their normal Internet browsing, without even clicking on the advertisement

Spam and phishing emails incorporating social-engineering techniques so that they appear to be sent by well-known companies or other ‘trusted’ sources but contain links to malicious sites

Third-party applications that are malicious or good and bundled with malware and downloaded from popular online marketplaces. We have here all kind of marketplaces, targeting all possible platforms and devices:

While new technologies are created constantly, all security solutions are at least one step behind the threats out there, simply because there is no usable way to completely protect people against threats such as those mentioned above.

Second, people just want to have their jobs done. This is the reason why they see security as something that comes in their way and slows them down to have their job done.To have their job done faster, they are willing to stop or deactivate security programs (and infecting their computer), use different Internet connections that go around the company's defenses (and infecting their computer), take documents so that they can work at home (and lose them on the way), bring devices in the company (and infecting everyone else).

If companies invest more in making people understand what the risks and consequences are, they will see this problem differently. But this is a long topic which will be addressed in details in another article.

2. Install security software on all devices

Security software is not the solutions to all problems, as no software is able to 100% protect users against everything. But, in this case also 90% or more is better than nothing. The most attacked operating system is Windows, no question about that. But even if you are a Mac user, you should not think that you are safe. Also on Mac there is plenty of malicious software(especially trojans) and the amount of malware and exploitable vulnerabilities is increasing. With the increase of the attacks on mobile platforms and with the adoption of the browser as the new „operating system“, there are specific threats that apply to these platforms. As mentioned above, there are threats for smartphones and tablets running iOS and Android and malicious browser extensions everywhere. Fortunately, there are also plenty of security solutions to protect against these threats and the good news is that the majority of them are completely free. So, there is no excuse to let your device and browser unprotected.

3. Keep all programs up to date

Vulnerable programs are these days the most common place to attack victims and steal personal data. Mass media is doing a great job in disclosing any vulnerability found (sometimes even only assumed vulnerability) in the most used software around. All known cyber weapons like Uroburos, Stuxnet, Duqu and Flame have used known exploits in software. Also, major vulnerabilities in server software such as Poodle (in SSL) and Hearbleed (in OpenSSL) have been exploited and in these cases it is not even known how long they were used and how much private information has been stolen. The most vulnerable products are those that are considered system utilities, even though they are nothing else than commodities: Adobe Shockwave and Flash Player, Apple iTunes and QuickTime and Oracle Java. Yes, it is possible to live without them, but it is not always easy. The best thing is to deactivate them if you don't need them - especially Java but also Shockwave and Flash.

4. Filter the web traffic, block suspicious websites

Filtering means not only restricting access to various websites, but especially making sure that the traffic if cleaned up before it reaches the users. An important factor which shows the importance of web filtering is the fact that the websites that the users are visiting might be of a very good reputation and still infecting their visitors. This can happen by showing 3rd party advertisements which can exploit vulnerabilities in browsers or, most common, in Flash Player, Silverlight and other web technologies. Other attack vectors with websites as delivery mechanism are drive-by downloads and malicious javascript injection, iframes , phishing websites and, most dangerous, spear-phishing websites. The web filtering solution should ideally be installed on the gateway. If your company is too small for this, then install a security suite on each computer connected to the internet. Note that all computers should have a security solution installed (with a real-time scanner), but depending on their purpose, the coverage of the security solution can include a web filter, mail filter, firewall and so on.

5. Make backups the right way and keep them secure

There are only few things in life that we can be sure that they will happen: one of them is that hard drives fail. It is just a matter of time until a catastrophic hard drive failure happens. Drives have a mean time of good functioning and they are statistically known for each type of drive. So, better be prepared for this unpleasant event. The biggest mistake that many companies do is to keep backups on the same machine (on another hard drive) and in the same room/data center. This approach is definitely better than no backup at all, but it doesn't help in case of electric surges or spikes (the entire computer gets damaged, including all components inside), fire, flood or theft in the data center. The backups are to be stored always in another place than the data backedup. Always store the data encrypted because you never know who gets access to the drives or tapes in future. Using a cloud based backup service is another possibility to mitigate these risks. The most important thing to do before using such a service is to encrypt the data. Never forget that in the moment data is leaving the computer, it is no longer belonging to those who created it. It belongs to all those entities that are traversed between computer and storage server. This means that anyone can intercept the data in transit (even if it is transferred over SSL) and while it resides on storage. The biggest problem is that most online backup services do not easily support encrypting data on the client side (before upload). If you read in the SLA (Service Level Agreement) or EULA of the provider that they encrypt data, it means that they keep the data encrypted on storage. While this mitigates the situation when a hardware gets stolen from the datacenter of the company, it doesn't mitigate the risk when an insider (employee or hacker) gets access to the private key used by the company to encrypt the data on storage. The best thing is to send the data already encrypted to the online storage.

6. Protect and encrypt devices and storage

The biggest data leakages happen for two reasons:

– careless employee take with them confidential data on devices which they lose

– hackers obtain access to company's infrastructure.

While the second is a very complex topic to address, the first one has simple solutions. First of all, no confidential data and especially PII (Personally Identifiable Information) should leave the company. Even in the company, there should be defenses in place in order to not allow just anyone to access it. But, this is in theory. In real like, employees want to optimize things and take work at home. Yes, even if this contains sensitive data. Since this happens anyway, better be prepared for the inevitable: laptops, memory sticks and smartphones get lost or stolen. In these cases, the value of the device is not even comparable with the value of the data on it. In order to make it impossible to the one that gets the device to access the data, the storage or the data must be encrypted. The user-friendlies solution is to encrypt the entire storage with special software like Bitkeeper and alike.

Laptops should have ideally a power-on password and a user to login in the operating system. The BIOS of the computer should be password protected in order to prevent attackers to overwrite security measures and disable TPM chips. Here you can find tips how to create good passwords. Smartphones are nowadays powerful computers with quad-core processors and a lot of gigabytes of storage. Without password/PIN protection and the entire storage encrypted (internal and external micro SD cards) any attacker can obtain access to emails, VPN access and other interesting data available there.

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org